PERVASIVE computing 53Trust is situation-specific; trust in one environment doesn't directly transfer to another environment. So a notion of context is necessary.Authorized licensed use limited to: TRINITY COLLEGE DUBLIN. Downloaded on January 21, 2009 at 05:54 from IEEE Xplore. Restrictions apply.them in a particular way-for example, to update old address book entries with accurate information. However, the principal could deviate from this expected behavior, and the combined likelihood and severity of this is the risk of granting them a privilege.
Risk analysisIn SECURE, the risks of a trust-mediated action are decomposed by possible outcomes. Each outcome's risk depends on the other principal's trustworthiness (the likelihood) and the outcome's intrinsic cost. For example, an address update might itself be out-of-date or maliciously misleading. These two outcomes' costs would reflect the user's wasted time, and the likelihoods would depend on trust in the other party.An outcome's costs could span a range of values. For example, a user might have received a correct phone book entry. This third outcome's cost could show a net benefit to the user, as the user might successfully use it later. However, if the number became out-ofdate by the time it was used, that would be a net loss. To reflect this uncertainty, you might represent the distribution of costs as a cost-PDF (probability density function). Figure 1 illustrates a user contemplating a parameterized interaction with principal p. For each possible outcome, the user has a parameterized cost-PDF (a family of cost-PDFs) that represents the range of possible costs and benefits the user might incur should each outcome occur.While the risk evaluator assesses the possible cost-PDFs, the trust calculator provides information t that determines the risk's likelihood based on the principal's identity p and other parameters of the action. The risk evaluator then uses this trust information to select the appropriate cost-PDF.Finally, the request analyzer combines all the outcomes' cost-PDFs to decide if the action should be taken or to arrange further interaction. Because any uncertainty is preserved right up to the decision point, this allows more complex decision making than simple thresholding, allowing responses such as "not sure" if there isn't enough information.In our continuing example, if Liz's PDA received a phone number from Vinny's PDA, she might not think it was maliciously misleading based on her trust in Vinny's honesty. She might think it could be out-of-date, however, if Vinny had given her stale information before, attributing a higher risk to this outcome. Finally, she'd consider the potential benefit of having a correct number, again moderated by Vinny's trustworthiness. Liz's PDA would do all these calculations on her behalf using its model of her trust beliefs, as Figure 2 illustrates. If the benefits outweighed the other outcomes' costs, the PDA would then accept the information.On the other hand, if John-a colleague from a competing research gr...
